Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1509477ybb; Sat, 11 Apr 2020 05:16:52 -0700 (PDT) X-Google-Smtp-Source: APiQypJgxMtOp+HsCWuYZ73UAQqhYnPibuapEU3l3JuovDACnF/zeZ5vz+StuviiILEAZs283+lc X-Received: by 2002:ae9:ed04:: with SMTP id c4mr5832532qkg.367.1586607412272; Sat, 11 Apr 2020 05:16:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586607412; cv=none; d=google.com; s=arc-20160816; b=Hr3T6ts0t9eBtT5N/JQud9MQ7ocwLWQ5cA8e/Ufl7l2rFbf4tyJ865u6IKCu/ESHSO yar/EOuMSPCZqouuNLkU6QyF1sL1qgiqDwVQBWFKC/SwVQ227RoWFNwLygloRLQ1mS4E q4aBgOkgRxzwIJ032cgLPGVIJIUPpUTQnP62MQfGnXfLnGCSTkQfs5ATXt+dUxVuv6qa VOOflhp6voN6mhM08ZxBaHtOr79ir+We6A6BRoF7rgHhbnIbhRMO2DSk7uJh5Wf4NXfZ tchpezpFV9E1cQlvMluJCCNRS54yGlE9m8p8UWP17YqDkDGJR+/v0qLYawDGxXPRCClq adoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CLnhtWvMPcFPqHEVR81v+yWTtEzfC7w7CnnESxbgaxI=; b=gPrZWD3Ai/+Jz5bnt70yC5gmT3ighnez6JhBjEOttL0WvIoemcqj/BCk5eYNPBUqaP vyMxbeaazpd1fhox8GWG3t+ORG74dB9+1JLVzOxRm0dHBmFIUKdsuCQPLz9CMR0+8/zp 7DpmjsejziF2HdIugfXaOEaPNEUGJl3CMNhJ5fkvM45AK+T2ld2p4Bn3PC9tDCtKfNBT 0g6A+D9i+o6TZlZOQVOE6rRMxlBsnrGQB5UbhECYJIo8K3sx7k79syfuJ3nK86JxCLNL gMBIZ3UJl4aAcJXQ2folL8oiFV/FpdU5x/kVzyTJXiiz9S+SfXEboLsznFtSl2W+0k2V /j6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HNfNqBCJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a26si2905381qkl.18.2020.04.11.05.16.38; Sat, 11 Apr 2020 05:16:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HNfNqBCJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727924AbgDKMQG (ORCPT + 99 others); Sat, 11 Apr 2020 08:16:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:50234 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727932AbgDKMQD (ORCPT ); Sat, 11 Apr 2020 08:16:03 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5070020787; Sat, 11 Apr 2020 12:16:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586607363; bh=Mlp4dDH4817TWo87N825RTd3ZoZFTS3zh2EnLg9Wzlw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HNfNqBCJkmLq444Hj20QG8xQ53aZh+cq/OOdvA0gHySnFmJOsxYQOD3SZelEaMPh1 +UoRonGSn+3db4ehFH8fjZ+A1QOD0QVEcXzrTqEF3y+WFT815KGY8zLL78O+0JQ8tZ 5dL7tNZFL9cntXJ6XTIOgcgO/YrIzCLE0xAFKCug= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+98704a51af8e3d9425a9@syzkaller.appspotmail.com, Ilya Dryomov , Jeff Layton , Luis Henriques Subject: [PATCH 4.19 43/54] ceph: canonicalize server path in place Date: Sat, 11 Apr 2020 14:09:25 +0200 Message-Id: <20200411115512.886093392@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200411115508.284500414@linuxfoundation.org> References: <20200411115508.284500414@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ilya Dryomov commit b27a939e8376a3f1ed09b9c33ef44d20f18ec3d0 upstream. syzbot reported that 4fbc0c711b24 ("ceph: remove the extra slashes in the server path") had caused a regression where an allocation could be done under a spinlock -- compare_mount_options() is called by sget_fc() with sb_lock held. We don't really need the supplied server path, so canonicalize it in place and compare it directly. To make this work, the leading slash is kept around and the logic in ceph_real_mount() to skip it is restored. CEPH_MSG_CLIENT_SESSION now reports the same (i.e. canonicalized) path, with the leading slash of course. Fixes: 4fbc0c711b24 ("ceph: remove the extra slashes in the server path") Reported-by: syzbot+98704a51af8e3d9425a9@syzkaller.appspotmail.com Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton Signed-off-by: Luis Henriques Signed-off-by: Greg Kroah-Hartman --- fs/ceph/super.c | 118 ++++++++++++-------------------------------------------- fs/ceph/super.h | 2 2 files changed, 28 insertions(+), 92 deletions(-) --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -205,6 +205,26 @@ static match_table_t fsopt_tokens = { {-1, NULL} }; +/* + * Remove adjacent slashes and then the trailing slash, unless it is + * the only remaining character. + * + * E.g. "//dir1////dir2///" --> "/dir1/dir2", "///" --> "/". + */ +static void canonicalize_path(char *path) +{ + int i, j = 0; + + for (i = 0; path[i] != '\0'; i++) { + if (path[i] != '/' || j < 1 || path[j - 1] != '/') + path[j++] = path[i]; + } + + if (j > 1 && path[j - 1] == '/') + j--; + path[j] = '\0'; +} + static int parse_fsopt_token(char *c, void *private) { struct ceph_mount_options *fsopt = private; @@ -398,73 +418,6 @@ static int strcmp_null(const char *s1, c return strcmp(s1, s2); } -/** - * path_remove_extra_slash - Remove the extra slashes in the server path - * @server_path: the server path and could be NULL - * - * Return NULL if the path is NULL or only consists of "/", or a string - * without any extra slashes including the leading slash(es) and the - * slash(es) at the end of the server path, such as: - * "//dir1////dir2///" --> "dir1/dir2" - */ -static char *path_remove_extra_slash(const char *server_path) -{ - const char *path = server_path; - const char *cur, *end; - char *buf, *p; - int len; - - /* if the server path is omitted */ - if (!path) - return NULL; - - /* remove all the leading slashes */ - while (*path == '/') - path++; - - /* if the server path only consists of slashes */ - if (*path == '\0') - return NULL; - - len = strlen(path); - - buf = kmalloc(len + 1, GFP_KERNEL); - if (!buf) - return ERR_PTR(-ENOMEM); - - end = path + len; - p = buf; - do { - cur = strchr(path, '/'); - if (!cur) - cur = end; - - len = cur - path; - - /* including one '/' */ - if (cur != end) - len += 1; - - memcpy(p, path, len); - p += len; - - while (cur <= end && *cur == '/') - cur++; - path = cur; - } while (path < end); - - *p = '\0'; - - /* - * remove the last slash if there has and just to make sure that - * we will get something like "dir1/dir2" - */ - if (*(--p) == '/') - *p = '\0'; - - return buf; -} - static int compare_mount_options(struct ceph_mount_options *new_fsopt, struct ceph_options *new_opt, struct ceph_fs_client *fsc) @@ -472,7 +425,6 @@ static int compare_mount_options(struct struct ceph_mount_options *fsopt1 = new_fsopt; struct ceph_mount_options *fsopt2 = fsc->mount_options; int ofs = offsetof(struct ceph_mount_options, snapdir_name); - char *p1, *p2; int ret; ret = memcmp(fsopt1, fsopt2, ofs); @@ -482,21 +434,12 @@ static int compare_mount_options(struct ret = strcmp_null(fsopt1->snapdir_name, fsopt2->snapdir_name); if (ret) return ret; + ret = strcmp_null(fsopt1->mds_namespace, fsopt2->mds_namespace); if (ret) return ret; - p1 = path_remove_extra_slash(fsopt1->server_path); - if (IS_ERR(p1)) - return PTR_ERR(p1); - p2 = path_remove_extra_slash(fsopt2->server_path); - if (IS_ERR(p2)) { - kfree(p1); - return PTR_ERR(p2); - } - ret = strcmp_null(p1, p2); - kfree(p1); - kfree(p2); + ret = strcmp_null(fsopt1->server_path, fsopt2->server_path); if (ret) return ret; @@ -564,6 +507,8 @@ static int parse_mount_options(struct ce err = -ENOMEM; goto out; } + + canonicalize_path(fsopt->server_path); } else { dev_name_end = dev_name + strlen(dev_name); } @@ -990,7 +935,9 @@ static struct dentry *ceph_real_mount(st mutex_lock(&fsc->client->mount_mutex); if (!fsc->sb->s_root) { - const char *path, *p; + const char *path = fsc->mount_options->server_path ? + fsc->mount_options->server_path + 1 : ""; + err = __ceph_open_session(fsc->client, started); if (err < 0) goto out; @@ -1002,16 +949,6 @@ static struct dentry *ceph_real_mount(st goto out; } - p = path_remove_extra_slash(fsc->mount_options->server_path); - if (IS_ERR(p)) { - err = PTR_ERR(p); - goto out; - } - /* if the server path is omitted or just consists of '/' */ - if (!p) - path = ""; - else - path = p; dout("mount opening path '%s'\n", path); err = ceph_fs_debugfs_init(fsc); @@ -1019,7 +956,6 @@ static struct dentry *ceph_real_mount(st goto out; root = open_root_dentry(fsc, path, started); - kfree(p); if (IS_ERR(root)) { err = PTR_ERR(root); goto out; --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -86,7 +86,7 @@ struct ceph_mount_options { char *snapdir_name; /* default ".snap" */ char *mds_namespace; /* default NULL */ - char *server_path; /* default "/" */ + char *server_path; /* default NULL (means "/") */ char *fscache_uniq; /* default NULL */ };